AWS managed policies for AWS Resource Explorer - AWS Resource Explorer
AWSResourceExplorerFullAccessAWSResourceExplorerReadOnlyAccessAWSResourceExplorerServiceRolePolicyAWSResourceExplorerOrganizationsAccessPolicy updates

AWS managed policies for AWS Resource Explorer

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see AWS managed policies in the IAM User Guide.

General AWS managed policies that include Resource Explorer permissions

  • AdministratorAccess – Grants full access to AWS services and resources.

  • ReadOnlyAccess – Grants read-only access to AWS services and resources.

  • ViewOnlyAccess – Grants permissions to view resources and basic metadata for AWS services.

    Note

    The Resource Explorer Get* permissions included in the ViewOnlyAccess policy perform like List permissions although they return only a single value, because a Region can contain only one index and one default view.

AWS managed policies for Resource Explorer

AWS managed policy: AWSResourceExplorerFullAccess

You can assign the AWSResourceExplorerFullAccess policy to your IAM identities.

This policy grants permissions that allow full administrative control of the Resource Explorer service. You can perform all tasks involved in turning on and managing Resource Explorer in the AWS Regions in your account.

Permissions details

This policy includes permissions that allow all actions for Resource Explorer, including turning on and turning off Resource Explorer in AWS Regions, creating or deleting an aggregator index for the account, creating, updating, and deleting views, and searching. This policy also includes permissions that are not part of Resource Explorer:

  • ec2:DescribeRegions – allows Resource Explorer to access the details about the Regions in your account.

  • ram:ListResources – allows Resource Explorer to list the resource shares that resources are part of.

  • ram:GetResourceShares – allows Resource Explorer to identify details about the resource shares that you own or that are shared with you.

  • iam:CreateServiceLinkedRole – allows Resource Explorer to create the required service-linked role when you turn on Resource Explorer by creating the first index.

  • organizations:DescribeOrganization – allows Resource Explorer to access information about your organization.

To see the latest version of this AWS managed policy, see AWSResourceExplorerFullAccess in the AWS Managed Policy Reference Guide.

AWS managed policy: AWSResourceExplorerReadOnlyAccess

You can assign the AWSResourceExplorerReadOnlyAccess policy to your IAM identities.

This policy grants read-only permissions that allow users basic search access to discover their resources.

Permissions details

This policy includes permissions that allow users to perform the Resource Explorer Get*, List*, and Search operations to view information about Resource Explorer components and configuration settings, but doesn't allow users to change them. Users can also search. This policy also includes two permissions that are not part of Resource Explorer:

  • ec2:DescribeRegions – allows Resource Explorer to access the details about the Regions in your account.

  • ram:ListResources – allows Resource Explorer to list the resource shares that resources are part of.

  • ram:GetResourceShares – allows Resource Explorer to identify details about the resource shares that you own or that are shared with you.

  • organizations:DescribeOrganization – allows Resource Explorer to access information about your organization.

To see the latest version of this AWS managed policy, see AWSResourceExplorerReadOnlyAccess in the AWS Managed Policy Reference Guide.

AWS managed policy: AWSResourceExplorerServiceRolePolicy

You can't attach AWSResourceExplorerServiceRolePolicy to any IAM entities yourself. This policy can be attached only to a service-linked role that allows Resource Explorer to perform actions on your behalf. For more information, see Using service-linked roles for Resource Explorer.

This policy grants the permissions required for Resource Explorer to retrieve information about your resources. Resource Explorer populates the indexes it maintains in each AWS Region that you register.

To see the latest version of this AWS managed policy, see AWSResourceExplorerServiceRolePolicy in the IAM console.

AWS managed policy: AWSResourceExplorerOrganizationsAccess

You can assign AWSResourceExplorerOrganizationsAccess to your IAM identities.

This policy grants administrative permissions to Resource Explorer and grants read-only permissions to other AWS services to support this access. The AWS Organizations administrator needs these permissions to set up and manage multi-account search in the console.

Permissions details

This policy includes permissions that allow administrators to set up multi-account search for the organization:

  • ec2:DescribeRegions – Allows Resource Explorer to access the details about the Regions in your account.

  • ram:ListResources – Allows Resource Explorer to list the resource shares that resources are part of.

  • ram:GetResourceShares – Allows Resource Explorer to identify details about the resource shares that you own or that are shared with you.

  • organizations:ListAccounts – Allows Resource Explorer to identify the accounts within an organization.

  • organizations:ListRoots – Allows Resource Explorer to identify the root accounts within an organization.

  • organizations:ListOrganizationalUnitsForParent – Allows Resource Explorer to identify the organizational units (OUs) in a parent organizational unit or root.

  • organizations:ListAccountsForParent – Allows Resource Explorer to identify the accounts in an organization that are contained by the specified target root or an OU.

  • organizations:ListDelegatedAdministrators – Allows Resource Explorer to identify the AWS accounts that are designated as delegated administrators in this organization.

  • organizations:ListAWSServiceAccessForOrganization – Allows Resource Explorer to identify a list of the AWS services that are enabled to integrate with your organization.

  • organizations:DescribeOrganization – Allows Resource Explorer to retrieve information about the organization that the user's account belongs to.

  • organizations:EnableAWSServiceAccess – Allows Resource Explorer to enable the integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations.

  • organizations:DisableAWSServiceAccess – Allows Resource Explorer to disable the integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations.

  • organizations:RegisterDelegatedAdministrator – Allows Resource Explorer to enable the specified member account to administer the organization's features of the specified AWS service.

  • organizations:DeregisterDelegatedAdministrator – Allows Resource Explorer to remove the specified member AWS account as a delegated administrator for the specified AWS service.

  • iam:GetRole – Allows Resource Explorer to retrieve information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role.

  • iam:CreateServiceLinkedRole – Allows Resource Explorer to create the required service-linked role when you turn on Resource Explorer by creating the first index.

To see the latest version of this AWS managed policy, see AWSResourceExplorerOrganizationsAccess in the IAM console.

Resource Explorer updates to AWS managed policies

View details about updates to AWS managed policies for Resource Explorer since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Resource Explorer Document history page.

Change Description Date

New managed policy

Resource Explorer added the following AWS managed policy:

 November 14, 2023

Updated managed policies

Resource Explorer updated the following AWS managed policies to support multi-account search:

 November 14, 2023

AWSResourceExplorerServiceRolePolicy – Updated policy to support multi-account search with Organizations

Resource Explorer added permissions to the service-linked role policy AWSResourceExplorerServiceRolePolicy that allows the Resource Explorer to support multi-account search with Organizations:

  • organizations:ListAWSServiceAccessForOrganization

  • organizations:DescribeAccount

  • organizations:DescribeOrganization

  • organizations:ListAccounts

  • organizations:ListDelegatedAdministrators

 November 14, 2023

AWSResourceExplorerServiceRolePolicy – Updated policy to support additional resource types

Resource Explorer added permissions to the service-linked role policy AWSResourceExplorerServiceRolePolicy that allows the service to index the following resource types:

  • accessanalyzer:analyzer

  • acmpca:certificateauthority

  • amplify:app

  • amplify:backendenvironment

  • amplify:branch

  • amplify:domainassociation

  • amplifyuibuilder:component

  • amplifyuibuilder:theme

  • appintegrations:eventintegration

  • apprunner:service

  • appstream:appblock

  • appstream:application

  • appstream:fleet

  • appstream:imagebuilder

  • appstream:stack

  • appsync:graphqlapi

  • aps:rulegroupsnamespace

  • aps:workspace

  • apigateway:restapi

  • apigateway:deployment

  • athena:datacatalog

  • athena:workgroup

  • autoscaling:autoscalinggroup

  • backup:backupplan

  • batch:computeenvironment

  • batch:jobqueue

  • batch:schedulingpolicy

  • cloudformation:stack

  • cloudformation:stackset

  • cloudfront:fieldlevelencryptionconfig

  • cloudfront:fieldlevelencryptionprofile

  • cloudfront:originaccesscontrol

  • cloudtrail:trail

  • codeartifact:domain

  • codeartifact:repository

  • codecommit:repository

  • codeguruprofiler:profilinggroup

  • codestarconnections:connection

  • databrew:dataset

  • databrew:recipe

  • databrew:ruleset

  • detective:graph

  • directoryservices:directory

  • ec2:carriergateway

  • ec2:verifiedaccessendpoint

  • ec2:verifiedaccessgroup

  • ec2:verifiedaccessinstance

  • ec2:verifiedaccesstrustprovider

  • ecr:repository

  • elasticache:cachesecuritygroup

  • elasticfilesystem:accesspoint

  • events:rule

  • evidently:experiment

  • evidently:feature

  • evidently:launch

  • evidently:project

  • finspace:environment

  • firehose:deliverystream

  • faultinjectionsimulator:experimenttemplate

  • forecast:datasetgroup

  • forecast:dataset

  • frauddetector:detector

  • frauddetector:entitytype

  • frauddetector:eventtype

  • frauddetector:label

  • frauddetector:outcome

  • frauddetector:variable

  • gamelift:alias

  • globalaccelerator:accelerator

  • globalaccelerator:endpointgroup

  • globalaccelerator:listener

  • glue:database

  • glue:job

  • glue:table

  • glue:trigger

  • greengrass:group

  • healthlake:fhirdatastore

  • iam:virtualmfadevice

  • imagebuilder:componentbuildversion

  • imagebuilder:component

  • imagebuilder:containerrecipe

  • imagebuilder:distributionconfiguration

  • imagebuilder:imagebuildversion

  • imagebuilder:imagepipeline

  • imagebuilder:imagerecipe

  • imagebuilder:image

  • imagebuilder:infrastructureconfiguration

  • iot:authorizer

  • iot:jobtemplate

  • iot:mitigationaction

  • iot:provisioningtemplate

  • iot:securityprofile

  • iot:thing

  • iot:topicruledestination

  • iotanalytics:channel

  • iotanalytics:dataset

  • iotanalytics:datastore

  • iotanalytics:pipeline

  • iotevents:alarmmodel

  • iotevents:detectormodel

  • iotevents:input

  • iotsitewise:assetmodel

  • iotsitewise:asset

  • iotsitewise:gateway

  • iottwinmaker:workspace

  • ivs:channel

  • ivs:streamkey

  • kafka:cluster

  • kinesisvideo:stream

  • lambda:alias

  • lambda:layerversion

  • lambda:layer

  • lookoutmetrics:alert

  • lookoutvision:project

  • mediapackage:channel

  • mediapackage:originendpoint

  • mediatailor:playbackconfiguration

  • memorydb:acl

  • memorydb:cluster

  • memorydb:parametergroup

  • memorydb:user

  • mobiletargeting:app

  • mobiletargeting:segment

  • mobiletargeting:template

  • networkfirewall:firewallpolicy

  • networkfirewall:firewall

  • networkmanager:globalnetwork

  • networkmanager:device

  • networkmanager:link

  • networkmanager:attachment

  • networkmanager:corenetwork

  • panorama:package

  • qldb:journalkinesisstreamsforledger

  • qldb:ledger

  • rds:bluegreendeployment

  • refactorspaces:application

  • refactorspaces:environment

  • refactorspaces:route

  • refactorspaces:service

  • rekognition:project

  • resiliencehub:app

  • resiliencehub:resiliencypolicy

  • resourcegroups:group

  • route53:recoverygroup

  • route53:resourceset

  • route53:firewalldomain

  • route53:firewallrulegroup

  • route53:resolverendpoint

  • route53:resolverrule

  • sagemaker:model

  • sagemaker:notebookinstance

  • signer:signingprofile

  • ssmincidents:responseplan

  • ssm:inventoryentry

  • ssm:resourcedatasync

  • states:activity

  • timestream:database

  • wisdom:assistant

  • wisdom:assistantassociation

  • wisdom:knowledgebase

 October 17, 2023

AWSResourceExplorerServiceRolePolicy – Updated policy to support additional resource types

Resource Explorer added permissions to the service-linked role policy AWSResourceExplorerServiceRolePolicy that allows the service to index the following resource types:

  • codebuild:project

  • codepipeline:pipeline

  • cognito:identitypool

  • cognito:userpool

  • ecr:repository

  • efs:filesystem

  • elasticbeanstalk:application

  • elasticbeanstalk:applicationversion

  • elasticbeanstalk:environment

  • iot:policy

  • iot:topicrule

  • stepfunctions:statemachine

  • s3:bucket

 August 1, 2023

AWSResourceExplorerServiceRolePolicy – Updated policy to support additional resource types

Resource Explorer added permissions to the service-linked role policy AWSResourceExplorerServiceRolePolicy that allows the service to index the following resource types:

  • elasticache:cluster

  • elasticache:globalreplicationgroup

  • elasticache:parametergroup

  • elasticache:replicationgroup

  • elasticache:reserved-instance

  • elasticache:snapshot

  • elasticache:subnetgroup

  • elasticache:user

  • elasticache:usergroup

  • lambda:code-signing-config

  • lambda:event-source-mapping

  • sqs:queue

 March 7, 2023
New managed policies

Resource Explorer added the following AWS managed policies:

 November 7, 2022

Resource Explorer started tracking changes

Resource Explorer started tracking changes for its AWS managed policies.

 November 7, 2022